The 10 Biggest Data Breaches of 2014 (So Far)
2014 Data Breaches Expose Basic Security Lapses
The Identity Theft Resource Center, which tracks public reports of data breaches, said it has logged nearly 400 incidents exposing credit card data and sensitive information in 2014. While retailers gain the most attention as a result of attacks against their payment systems, healthcare data, university information was also exposed in attacks. Security experts say the incidents expose password management lapses, poor data base management and oversight and the failure to identify and correct common Web application vulnerabilities. CRN pulled together 10 of the biggest breaches that surfaced since January.
Neiman Marcus said in January that as many as 1.1 million credit cards could have been compromised by surreptitiously installed software from mid-July to late October, the company last month revised that number to about 350,000 potentially affected cards. About 9,200 of those stolen credit cards were used fraudulently, according to a Neiman Marcus spokesperson.
The company said it conducted a vulnerability assessment of its payment card systems and reviewed its intrusion detection systems and firewalls. In addition to further hardening its systems and adding new security tools, Neiman Marcus also modified its software and security credentials.
Sutherland Healthcare Solutions
A data breach at Sutherland Healthcare Solutions impacted 338,700 California residents. The Los Angeles-based medical billing and collections agency said the breach was the result of a break-in at its office. The breach included the Social Security numbers, dates of birth and medical diagnoses contained in the company's database. Thieves made off with stolen computer equipment containing the data, the company told the Los Angeles Times in April. The company issued a $25,000 reward leading to the return of the stolen equipment or arrest and conviction of those responsible.
P.F. Chang's China Bistro
Scottsdale, Ariz.-based restaurant chain P.F. Chang's is still investigating the extent of its data security breach. The Secret Service notified the company in June that attackers struck the payment systems used at its 211 restaurant locations. The attack may have exposed thousands of cards between March and May of this year, according to Brian Krebs, a reporter who investigates credit card theft and organized cybercrime and noted a flood of new credit card data in underground hacking forums, where stolen information is sold.
In addition to obtaining digital forensics services, P.F. Chang's CEO Rick Federico ordered all restaurants to use manual credit card devices. The firm issued an update in July, announcing that it recently added "encryption-enabled terminals" at all of its locations, while its investigation continues.
Arts and crafts retailer Michaels Stores confirmed a breach of its payment systems in April that also included its subsidiary Aaron Brothers. The Irving, Texas-based comapany said investigators suspect that up to 3 million credit and debit cards may have been stolen. The attack took place between May 8, 2013 and Jan. 27, 2014, according to the retailer. The attackers targeted payment systems using memory scraping malware.
Two independent security firms conducted an assessment of the company's systems and determined that incident responders fully removed the malware and identified the full scope of the breach, the company said.
University of Maryland
The University of Maryland announced a data breach impacting 309,000 student faculty and staff records. The university said it detected authorized access to a database in February. The attacker removed containing the names, date of birth, and student identification numbers of current and former students and employees since 1998. The cause of the data breach is still under investigation.
The attacker gained access to the information by uploading malware to a university website used for uploading photos, according to university president Wallace Loh, who spoke to the Senate Committee on Commerce, Science, and Transportation. Loh said the attacker then obtained the account credentials of IT personnel maintaining the server. He told the committee that the university should have deleted much of the data from its systems.
Mechanicsburg, Penn.-based payroll services company Paytime Inc. confirmed that attackers gained access to the personal information of potentially more than 200,000 people. Paytime said it was notified in April that attackers gained access to its systems by stealing employee account credentials. The sensitive information included Social Security numbers, date of birth, wage information, direct deposit account information, home and cell phone numbers and other payroll information, the company said in a breach notification letter sent to impacted customers filed with the State of California.
State of Montana
The State of Montana announced a data security breach impacting 1.3 million people. The state said an attacker gained access to a server at its Department of Public Health and Human Services. The exposed data on the server included demographic information, such as names, addresses, dates of birth and Social Security numbers, according to the state's public information office. The server also contained information about the agency's contractors and current and former employees.
The server was shut down on May 15 immediately after suspicious activity was first detected. A forensics investigation was unable to determine if any information was accessed or stolen, the state's Chief Information Officer Ron Baldwin said. The agency has restored the server and installed additional security protection. The expected costs associated with the breach are expected to be covered by the state's $2 million cyberinsurance policy, officials said.
Veterans Of Foreign Wars Of The U.S.
Attackers targeted visitors to the website of the The Veterans of Foreign Wars of the U.S. this year in an apparent attempt to gain access to defense contractor intellectual property and other sensitive documents, according to security vendor FireEye, which discovered the threat. The VFW said it was informed of the incident in March and discovered that the breach exposed the information of up to 55,000 of its members. The combat veterans association said attackers targeted a website vulnerability and gained access to an underlying Web server containing the names, Social Security numbers and other details of some of its members. The website was used as an attack platform, redirecting visitors to a malicious web page that targeted an Adobe Flash zero-day vulnerability. FireEye said it believes the threat originated in China and sought people who may have had access to military plans and contracts.
Enterprise software maker Deltek said the account credentials of 80,000 employees of federal contractors were stolen in a breach of its Web application in March. As many as 25,000 credit and debit cards were also potentially exposed as a result of the security lapse, the company said in an email to vendors obtained by Federal News Radio. Deltek said attackers struck at a vulnerability in its GovWin IQ Web application, which tracks federal, state and local contracting opportunities. The company said it fixed its coding error and added other security measures, including improved password processes.
Spec's Family Partners
Attackers had access to the payment terminals at Spec's, a Houston-based wine and liquor retailer, for more than a year. The retailer, which announced the data breach in March, said attackers struck at the payment terminals of 34 of its smaller stores in October 2012, stealing about 550,000 customer credit and debit card numbers. The firm said it contained the lapse and provided information to the Secret Service, which is investigating the story. The firm said it also hired a Qualified Security Assessor to examine its systems and validate that it is compliant with the Payment Card Industry Data Security Standards.